Introducing GitHub Advanced Security SIEM integrations for security professionals

GitHub Advanced Security (GHAS) is a developer-first application security platform. GitHub provides the Security Overview page for a high-level view of the security status of their organization or to identify problematic repositories that requires intervention. However, security operations professionals may want to run more powerful queries, create customized dashboards and visualizations, or desire to join GitHub alerts with additional data from environment logs. To meet these needs we’re excited to announce our integrations with security information and event management (SIEM) providers, Splunk, Microsoft Sentinel, DataDog, Elastic, and Sumo Logic. With these integrations, GHAS data can be easily exported to external reporting SIEM tools, enabling users to improve their security posture by increasing visibility into application security events.

By integrating GHAS with a SIEM solution, you can stitch together findings identified within the GitHub platform with other data, such as a Configuration Management Database (CMDB), user directory, or asset attribution system. This allows you to see events from your GHAS environment within the risk-based context of your business data. Some examples include:

• Severe vulnerabilities in your high-profile or user-facing applications
• A count of security alerts for each business unit
• Secrets resolved on a per-team basis
• The average time to remediate a vulnerability
• Which repositories depend on a vulnerable depency

You can also join GitHub Advanced Security data with GitHub Audit Log data, so, for example, you could see if an API token identified by secret scanning was used after it was leaked. These integrations give you a great starting point to build interesting insights.

If your tool of choice is not included below, we’ve written a detailed integration guide that you or the vendor can follow to replicate these integrations. If you’re a SIEM or logging vendor interested in following this integration path, please join our technology partner program. Many of the integrations are licensed under an open source license, so if you’d like to contribute a query, or additional datasource, please make a pull request.

We’ve also partnered with a variety of Risk-Based Vulnerability Management platforms, which provide a more prescriptive view of the GHAS data, and, specifically, for security professionals that we’ll announce in an upcoming post.

Splunk

Splunk is a data platform for security and observability, which helps organizations around the world investigate, monitor, analyze, and act on data at any scale. The Splunk integration is available on GitHub and Splunkbase, and provides add-ons for data sources:

• GitHub Audit Log Collection: Audit logs from Github Enterprise Cloud.
• Github.com Webhooks: A select set of webhook events like Push, PullRequest, and Repo.
• Github Enterprise Server Syslog Forwarder: Audit and application logs from Github Enterprise Server.
• Github Enterprise Collectd monitoring: Performance and infrastructure metrics from Github Enterprise Server.

Also, check out a handy Configuration Video Guide.

Microsoft Sentinel

Microsoft Sentinel is a cloud-native SIEM / security orchestration and automated response (SOAR) platform. The GitHub integration, available in public preview, is provided through the sentinel4github solution in the Azure Marketplace. The solution provides connectors to ingest GitHub audit logs and GitHub Advanced Security events into the platform. The Azure-Sentinel GitHub repository is the home for a comprehensive set of data connectors, log parsers, visualization workbooks, threat analytics detections, and threat hunting queries.

• Watch a demo of the GitHub App for Sentinel.
• Check out how to configure Sentinel with GitHub Advanced Security.

Datadog

Datadog seamlessly aggregates metrics, logs and events across the full DevSecOps stack enabling organizations to break down silos in a matter of minutes. The Datadog Github Apps integration is currently used by many organizations to reduce incident MTTR.

This updated integration will now include Audit Logs, Code Scans, Secret Scans and Repository Metrics. This will help engineering teams get a detailed understanding of their security vulnerabilities and easily identify, prioritize, and act on them in a timely manner. To start using the new features, it is simply a matter of checking a few checkboxes in the integration configuration tile. Once configured, the users get configurable out-of-the- box dashboards that help serve as a starting point to understand key insights and present a summary to executive stakeholders. Security teams can also use other Datadog products, such as Monitors, to set alerts where needed, as well as Logs Explorer product for further deep dives.

Sumo Logic

The Sumo Logic Continuous Intelligence Platform provides powerful real-time, analytics, and insights to help practitioners and developers ensure application reliability, secure and protect against modern threats, and gain insights into their cloud infrastructures.

Sumo Logic’s integration for GitHub is available as a comprehensive app in the Sumo App Catalog, and visualizes key insights ingested directly from GitHub Webhooks, audit logs, and GitHub Advanced Security events. Out-of-the-box dashboards, searches, and alerts make it easy for developers and security engineers to quickly understand repository and commit activity, normal and anomalous user activity, and security alerts generated from secrets scanning, code scanning, and Dependabot. This lets mutual customers quickly understand their GitHub data in Sumo, in addition to being able to correlate it with other data sources to get broader and deeper insights.

Elastic Security

Elastic Security combines SIEM threat detection features with endpoint prevention and response capabilities in one solution. These analytical and protection capabilities, leveraged by the speed and extensibility of Elasticsearch, enable analysts to defend their organization from threats.

Elastic’s GitHub integration is installed through the Elastic UI and is available to view within Elastic’s integration repository. The integration supports ingestion of GitHub audit events and GitHub Advanced Security events into Elastic Security. A set of visualizations, dashboards, and predefined searches are included with the integration. More information is available in Elastic documentation.

Learn how to easily ingest GitHub Advanced Security Alerts into Elastic Security.